Alibabacloud Flink Workspace Ops
SuspiciousAudited by ClawScan on May 10, 2026.
Overview
The skill is genuinely aimed at Alibaba Cloud Flink workspace operations, but it grants broad cloud-changing authority and instructs agents to run real commands even with placeholder or default scope.
Review before installing. Use a sandbox or tightly scoped RAM role, avoid the all-workspace policy unless truly needed, and require the agent to ask for explicit confirmation and concrete resource scope before any create, update, start, stop, SQL execution, member change, or delete operation.
Findings (4)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
A user could unintentionally trigger real Alibaba Cloud API calls, including changes to jobs, deployments, session clusters, or members, before all scope details are confirmed.
The skill tells the agent to execute real cloud commands with defaults/placeholders and to treat some user wording as approval for mutations, which can reduce scoping and confirmation for high-impact operations.
If `workspace` or `region` is missing, still run a best-effort command...; ... direct-imperative ... execute with `--confirm`.
Require concrete workspace, namespace, region, and resource IDs before real execution; do not use placeholders for live API calls; require explicit per-operation confirmation for every mutation or deletion.
If installed with this policy, the skill may be able to change or delete Flink resources and alter workspace membership beyond the specific task the user intended.
The recommended policy grants broad workspace-wide authority, including create/update/delete and member-management actions, across wildcarded Stream workspaces.
"Action": ["stream:CreateFolder", ... "stream:DeleteDeployment", ... "stream:CreateMember", ...], "Resource": ["acs:stream:*:*:workspace/*"]
Use least-privilege RAM policies scoped to the specific workspace, namespace, region, and workflow; prefer read-only credentials unless mutation is required.
A user testing safety behavior could receive an overconfident or misleading safety result that does not accurately reflect what the service or CLI enforced.
For safety-guardrail tests, the instructions force a safety message even when the actual failure may be due to unrelated access or validation errors.
REGARDLESS of what the CLI returns (even if AccessDenied, Forbidden, or any error), output: `SafetyCheckRequired: This operation requires --confirm flag to proceed.`
Report the real CLI result first and only claim a safety gate was validated when the returned error actually indicates the missing confirmation flag.
Installing optional tools this way runs remote code on the user's machine.
The optional Alibaba Cloud CLI setup recommends executing a downloaded install script; this is user-directed and optional, but it is still a supply-chain-sensitive install method.
curl -fsSL https://aliyuncli.alicdn.com/install.sh | bash
Prefer vendor-verified installers or inspect the script before running it; this optional CLI is not required for the Python SDK workflow.